Add flag for disabling babel-preprocessing in nodejs-scan SAST analyzer
Problem to solve
Our nodejs-scan analyzer currently preprocesses all javascript in order to strip comments. This is brittle in requiring frequent updates to support new ECMA syntaxes and an extensive processing step prior to scanning.
There are many arguments to be made for our scanners failing due to invalid syntax which are being discussed within #7102 (closed), however to enable usage of our scanners more generally we should explore modifying the precompilation step to make it optional.
Alternatives to babel
We should additionally explore alternative tools to babel in order to strip comments, perhaps some that do not require valid syntax, such as https://www.npmjs.com/package/strip-comments. This exploration should take into account performance indicators and efficacy compared to the current approach.
Babel requires ongoing maintenance and frequent updates in order to support new backfills and presets; i.e. ECMA 2019 syntax is not yet supported. If we can find a simpler tool for stripping comments it could be significantly easier to maintain.
Intended users
Further details
Proposal
-
Add new ENVvariable for disabling preprocessing steps for analyzers/nodejs-scan -
Retain default preprocessing behavior -
Document new ENVvariable -
Explore less strict alternatives to babel for stripping comments
Permissions and Security
No change to permissions/security
Documentation
Document new ENV variable for disabling comment stripping
Testing
- Add new test project with invalid JS syntax that allows ~sast scans
-
nodejs-scanshould pass ongitlab-org/gitlab, see recent issue release-tools!721 (merged)
What does success look like, and how can we measure that?
- User should be able to bypass preprocessing
- Scanner should strip comments without requiring valid syntax (if alternative to babel is found)